The B2B breach trifecta: Equifax, SEC and Deloitte

Why did Equifax take a beating in the headlines, but the SEC breach was barely a blip? Forrester examines the Equifax, SEC and Deloitte data breaches.
Written by Jeff Pollard, Contributor

Video: Equifax teaches us what not to do after a data breach

Why did Equifax take a beating in the headlines, but the SEC breach was barely a blip?

Equifax is primarily a B2B company, but the data stolen was consumer data. Couple that with one of the worst responses to a breach possible, including: giving inconsistent answers; asking users to sign up for its own products; the end user license agreement fiasco which drew attention from New York Attorney General Eric Schneiderman; discovery of a prior hack by the same group; and the routing of users to a fake website put up by a security researcher.

Also: Equifax's big fat fail: How not to handle a data breach

Equifax getting pummeled is not too surprising, or undeserved for that matter.

The tepid response to the SEC breach can be boiled down to two factors:

What do the hacks signal? Is this a trend? How does Deloitte fit?

It's always tough to call hacking a trend; after all, "hackers gonna hack." However, it does continue to prove the oft-used Willie Sutton adage about robbing banks "because that's where the money is" has not become irrelevant in the 21st century. Hackers have adapted to the digital transformation and data economy much like Enterprises have. Moreover, that means adjusting how and what they target Deloitte fits in three ways:

You can make insider trades with this data as well. It isn't just the information from the SEC that has value for a threat actor seeking to monetize information via stock market trades. Deloitte has an Advisory practice, and that means taxation and accounting audits for organizations. That information is the source of the data used in those very same SEC filings that may have been accessed by attackers in the SEC breach. Therefore, Deloitte - or any taxation and advisory firm - is a good target for the same reasons as the SEC.

Sure, but Deloitte sells security services, and the SEC is a regulatory body. Both should be better at this, right?

It seems by 2017 we have - hopefully - moved past the "tar and feathers" approach when a breach comes to light. A smidge of public shaming, inevitable litigation, and third party contractual issues should be sufficient in all but the most egregious scenarios. But:

What should security professionals do if they work with a breached service provider?

If you are the customer of any service provider that gets breached, you should consider your organization more at risk. Here are some things to think about based on the nature of the Deloitte breach:

Editorial standards